Cybersecurity

Decrypting outbound data a key to security

digital key

When researchers leave the Library of Congress, their bags are checked to ensure they’re not carrying out valuable documents. But not nearly enough federal agencies are doing the same with encrypted data.

Failing to decrypt and inspect outbound network traffic poses a security risk, says Randy Wood, federal vice president at F5 Networks, an application security firm.

Wood said he recently gave a briefing to military personnel and contractors at the Space and Naval Warfare Systems Command. The presentation covered the virtues of decrypting and inspecting outbound network traffic, and “it was as if people had seen fire for the first time,” Wood said at an Aug. 6 media briefing hosted by his firm. Firms like Wood’s could have much to gain commercially from greater federal focus on decrypting network traffic for threats.

The absence of decryption played a significant role in the recent hack of the Joint Chiefs of Staff’s unclassified email network, a former intelligence official familiar with the network told FCW. The Russian hackers believed to be behind the breach took advantage of encrypted traffic that the Joint Chiefs were not decrypting and inspecting, the former official said on the condition of anonymity. Moreover, the hackers could have been targeting the unclassified network in part because classified data occasionally spills onto it.

The broader subject of encryption has gotten more attention from lawmakers since the large-scale hacks of the Office of Personnel Management. Security practices such as encryption should “become the norm rather than the exception,” Rep. Elijah Cummings (D-Md.) said during a June 16 House Oversight and Government Reform Committee hearing. (A Department of Homeland Security official has nonetheless said that encryption would not have protected the data in the case of the OPM breaches.)

There is not much in the way of public measurements of how much federal network traffic is encrypted. Civilian agencies aside from DHS and the Justice Department are less likely to encrypt data at rest or in transit, according to Chris Cummiskey, a former DHS official turned IT security consultant. Agencies should prioritize more sensitive data for protection rather than rush to encrypt everything, he told FCW. “The government just doesn’t have a very good handle on the myriad datasets that they have in terms of prioritizing” what to secure, Cummiskey said.

Brian Taggart, a senior systems engineer at ClearShark, an IT vendor that works with F5 Networks, argues that the coming use of secure sockets layer (SSL), a common encryption protocol, for exfiltration in data breaches makes decrypting SSL traffic an imperative. “I think what’s most remarkable about some of the attacks we’ve seen in the last 18 months is [that] the data [exfiltration] was not SSL, but it’s going to be,” he said at the media briefing.

Malware recently uncovered by cybersecurity firm FireEye underlines that point. The malware, which the firm dubbed Hammertoss and linked to the Russian government, uses encrypted sessions on Twitter to relay commands and extract data from breached networks.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.